Beefy Boxes and Bandwidth Generously Provided by pair Networks Joe
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

Filtering packets on Windows

by Anonymous Monk
on Oct 09, 2008 at 21:39 UTC ( #716317=perlquestion: print w/ replies, xml ) Need Help??
Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hello Gents,

I'm sorry if this is the wrong place to ask this question, but is there a good way to filter packets on a Windows machine using Perl? I want to choose whether packets should be filtered based on information from the header. Everywhere I've looked leads me to C or C++, etc, but I don't know C as much as I know Perl.

Thanks a million.
-Sean

Comment on Filtering packets on Windows
Re: Filtering packets on Windows
by Anonymous Monk on Oct 09, 2008 at 21:43 UTC
    Packets? Sugar or creamer?
      Hello again,

      Thanks to everyone for all the advice. I GREATLY appreciate it. (REALLY!!)

      Ok, so lets start from the top:

      Yeah, sorry, IP packets, not Sugar or Creamer packets - but I heard coffee filters might work for this. BTW: I like my packets shaken and not stirred.

      I know about Net::Pcap, but I read somewhere that you can only view packets and not change them (like an IDS). I'm looking for more of the IPS or firewall approach (yes, pileofrogs, you are correct).

      I know about Squid (and actually prefer it as a proxy server solution). I want the ability to look at a packet, then if it's heading for www.badsite.com, change it to go to www.errorpage.com. I know Squid would work great for this, but I don't want a user to be able to change their proxy settings to bypass it. If I could put Squid inline, I could eliminate this, but then they could just bypass that server physically.

      I have never looked at Squid on Windows (except through Cygwin). If it does run on Windows, I'm curious how they filter packets. I know Checkpoint does it as well. My guess is that they cut into Windows using some variant of C.

      Thank you for the code, NetWallah, it's a good start. I just wish Net::Pcap would let you filter as well as view (on Windows). This would be so much easier if the world were "hooked" on Unix.

      Thanks again to everyone - I hope that answers some questions and gets one step closer.


      -Sean
      AKA: Morpheous1129
Re: Filtering packets on Windows
by Illuminatus (Curate) on Oct 09, 2008 at 21:57 UTC
Re: Filtering packets on Windows
by pileofrogs (Priest) on Oct 09, 2008 at 22:30 UTC

    When you say "filter" do you mean you want to stop them getting to applications, like a firewall, or do you mean you want to take a bunch of packets and identify certain ones?

    If it's the first case, I have no idea how it works on Windows. If it's the 2nd case, Net::Pcap and NetPacket::??? are things I've used before. Make sure you know how your packets are supposed to look though, IE, read some RFCs.

Re: Filtering packets on Windows
by aquarium (Curate) on Oct 10, 2008 at 00:12 UTC
    if you just want to filter web traffic or other that is proxyable, and putting a proxy inline is not too much hassle..install/setup squid, which can easily plug-in perl to inspect/modify headers etc.
    the hardest line to type correctly is: stty erase ^H
Re: Filtering packets on Windows
by NetWallah (Monsignor) on Oct 10, 2008 at 04:38 UTC
    Here is the beginning of some code I wrote 5 years ago.. /msg me if you need more.

    The header will give you an idea about what you need to install, to get started.

    #!/usr/bin/perl -w # # Network Traffic Analyzer # ------------------------- # May 2003, by Netwallah # # This program analyzes network traffic, and reports on packets captur +ed. # It uses the "pcap" interface (winpcap for Win32 : http://winpcap.pol +ito.it). # It uses Net::pcap. Win32 version of this is at http://www.bribes.org +/perl/wnetpcap.html # To use this, you may also need to do the following commands: # ppm install Data-HexDump # ppm install NetPacket # ppm install http://www.bribes.org/perl/ppm/Net-Pcap.ppd # ppm install http://www.bribes.org/perl/ppm/Net-PcapUtils.ppd ###################################################################### +### use strict; use English; use Net::Pcap; use NetPacket::Ethernet qw(:types); use NetPacket::IP qw(:protos); use NetPacket::ARP qw(:opcodes); use NetPacket::TCP; use NetPacket::UDP; use NetPacket::ICMP qw(:types); use Data::HexDump; my( $pcap_desc, $err, $result); my $verbose = 1; my %pcap_parameters = ( SNAPLEN => 124, # Num bytes to capture from packet PROMISCUOUS_MODE => 1, # Operate in promiscuous mode? TIMEOUT => 1000, # Read timeout (ms) NUMPACKETS => 500, # Pkts to read (-1 = loop forever) #FILTER => 'ip proto \icmp', # Filter string FILTER => 'arp or udp dst port 161', # Filter string USERDATA => '', # Passed as first arg to callback fn SAVEFILE => '', # Default save file # Items below are RETURNED values from PCap calls. # Do not attempt to change them in the declaration. FILTER_HANDLE => 0, # Reference to compiled filter NETWORK_INTERFACE => 'intel',# Network interface to open NETWORK_ADDR =>0, # Network Address (32 bit number) NETWORK_MASK =>0, # Mask (32-bit number) mode => '', # Internal variable ); # Partial list from http://www.iana.org/assignments/ethernet-numbers my %Ethernet_Type_Name = ( (ETH_TYPE_IP) =>{NAME=>'IP', DECODER => \&Decode_IP} +, (ETH_TYPE_ARP) =>{NAME=>'ARP', DECODER => \&Decode_AR +P}, (ETH_TYPE_APPLETALK) =>{NAME=>'APPLETALK', DECODER => 0}, 0x8035 =>{NAME=>'RARP', DECODER => \&Decode_ARP}, # (E +TH_TYPE_RARP is NOT exported!!!) (ETH_TYPE_SNMP) =>{NAME=>'SNMP', DECODER => 0}, (ETH_TYPE_IPv6) =>{NAME=>'IPv6', DECODER => 0}, (ETH_TYPE_PPP) =>{NAME=>'PPP' ,DECODER => 0} ); # Partial list From http://www.iana.org/assignments/protocol-numbers my %IP_Type_Name = ( (IP_PROTO_IP) =>{NAME=>'IP', DECODER=>0}, (IP_PROTO_ICMP) =>{NAME=>'ICMP', DECODER=>\&Decode_IP_ICMP}, ..snip..

         Have you been high today? I see the nuns are gay! My brother yelled to me...I love you inside Ed - Benny Lava, by Buffalax

      Sorry for the duplicate post, I wanted to move this to the bottom...



      Hello again,

      Thanks to everyone for all the advice. I GREATLY appreciate it. (REALLY!!)

      Ok, so lets start from the top:

      Yeah, sorry, IP packets, not Sugar or Creamer packets - but I heard coffee filters might work for this. BTW: I like my packets shaken and not stirred.

      I know about Net::Pcap, but I read somewhere that you can only view packets and not change them (like an IDS). I'm looking for more of the IPS or firewall approach (yes, pileofrogs, you are correct).

      I know about Squid (and actually prefer it as a proxy server solution). I want the ability to look at a packet, then if it's heading for www.badsite.com, change it to go to www.errorpage.com. I know Squid would work great for this, but I don't want a user to be able to change their proxy settings to bypass it. If I could put Squid inline, I could eliminate this, but then they could just bypass that server physically.

      I have never looked at Squid on Windows (except through Cygwin). If it does run on Windows, I'm curious how they filter packets. I know Checkpoint does it as well. My guess is that they cut into Windows using some variant of C.

      Thank you for the code, NetWallah, it's a good start. I just wish Net::Pcap would let you filter as well as view (on Windows). This would be so much easier if the world were "hooked" on Unix.

      Thanks again to everyone - I hope that answers some questions and gets one step closer.


      -Sean
      AKA: Morpheous1129

      Dear sir your code has many problems could you please re-wrtie the code again if you have time... i need this code urgent.

        This node reinforced my point in Re: Urgent Help required with PERL CGI. Unfortunately I can not consider such rubbish for reaping. Might I kindly suggest granting Anonymous Monk moderation privileges?

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://716317]
Approved by moritz
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (6)
As of 2014-04-21 05:47 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    April first is:







    Results (490 votes), past polls